Disable Accounts in Bulk using workflow

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi All,
Disable Account Source
Used above mentioned query but it works for single account but i need to do this for multiple accounts.
If i want to disable users in bulk how could i achieve this using workflow.

I have used the loop but it not disabling the accounts.

Thanks,
Shantha Kumar

2

Hey @Santhakumar , What is the trigger you want to use ? When are you willing to disable the users and on what source ?

Thanks

3

@Santhakumar

Based on assumptions lets say , you are disabling accounts using workflows for identities whose lifecycle attribute is changing .
The following is the workflow :
image.

The key changes you need consider is , “Manager Accounts” operation . Select choose variable and give a proper filter which can fetch all account ids.

image
image1280×742 41.9 KB

Please in the below json script for the same .

{
	"name": "Test",
	"description": "",
	"modified": "2024-09-24T05:59:52.374976265Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "f0094611513e4cc28d284a02de9084cc",
		"name": "test.user"
	},
	"definition": {
		"start": "Get Accounts",
		"steps": {
			"Get Accounts": {
				"actionId": "sp:get-accounts",
				"attributes": {
					"getAccountsBy": "specificIdentity",
					"identity.$": "$.trigger.identity.id"
				},
				"displayName": "",
				"nextStep": "Manage Accounts",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Accounts": {
				"actionId": "sp:manage-account",
				"attributes": {
					"accountIds.$": "$.getAccounts.accounts[*].id",
					"operation": "disable"
				},
				"displayName": "",
				"type": "action",
				"versionNumber": 1
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "f0094611513e4cc28d284a02de9084cc",
		"name": "test.user"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"attributeToFilter": "cloudLifecycleState",
			"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

I hope this helps!

Thanks !

4

HI @Santhakumar ,
My suggestion will be , For all other sources , add them in identity profile configuration to be disabled in inactive lcs instead of workflow.It will be more easy instead of workflow.

5

@gourab @sidharth_tarlapally
Case: i have added the new source to disable for Inactive LCS.

But we have 50+ users who’s LCS is already inactive so i want to trigger the disable operation to this users.

How can i achieve this?
Triggers used: Account Aggregation Completed
I have tried to get users by search query:
@accounts(source.name:“AD”) AND attributes.cloudLifecycleState:inactive in Get List of Identities.

And use the loop to get the all users ID and in Manage Accounts i have give like this:
$.getAccounts.accounts[*].id and also give this $.getAccounts.accounts[?(@.sourceName==‘AD’)].id

But the loop has taken the Identities ID as input but it was not taking the source id to disable in Mange Accounts

6

Please include Get Accounts Action before manage accounts

7

@sidharth_tarlapally Inside the loop right?

8

Tried this inside the loop but it’s running for more than 20 min

image
image551×825 22.9 KB

In loop i have given
$.getListOfIdentities.identities[].id
For Get Accounts given like $.loop.loopInput By Identity and
Manage Accounts $.getAccounts.accounts[].id

9

@Santhakumar

I have tested the workflow for your usecase . It worked for me. Please try the below:
Step 1: Choose a suitable trigger (Aggregation is also fine) .

Step 2 : Search query to fetch your intended identities (inactive lcs and exists in ad)

Step 3: Iterate these identity id’s in a loop ( you did it for all identities instead of id’s which will consume lot of time) use loop input : $.getListOfIdentities.identities[*].id

Step 3.1 : Get Account ID’s of the intended identities using Get Accounts Operator within the loop. Use Get Accounts input : $.loop.loopInput

Step 3.2: Manage Accounts Operation. Pass $.getAccounts.accounts[*].id in the manage account operator .

Step 3.3: End Step in the loop

Step 4 : End step outside loop

image
image541×625 32 KB

Please download script and save it . Import this as a new workflow and try testing.
replace search query and manage account operation inputs

Test220240924.json (1.7 KB)

Thank you

10

Receiving this error any thing I need to change?
image

11

Please change “modifiedBy” and “creator” attribute with your details.

12

Hi

If you are testing it from the workflow window, you have to change the input body with the existing identity ID and account name of the user

Thanks,
Siva.K

13

Hi @Santhakumar ,

Please download the below script and make the following changes in the json script :
DisableADAccountsofInactiveLCS.json (2.0 KB)

  • Creator Attribute & Modified By Attribute: Replace these with your own identity details.
  • Source name Replacement: Substitute all instances of “Active Directory” with the actual name of your Active Directory source Name.
  • Search Query Update: Modify the search query within the workflow to target the specific accounts you want to disenabled.

Workflow Limitations

Please be aware of potential limitations associated with this workflow approach:

  • Timeout Constraints: The “Get Accounts” operation might fail if it exceeds a one-minute execution time. This can occur if there are a large number of accounts to process.

Recommended Approach: Birthright Provisioning

For a more efficient and reliable account disabling process, I recommend utilizing Birthright Provisioning . This feature automates account lifecycle management based on user attributes. You can find detailed information on Birthright Provisioning in the following documentation:

Birthright Provisioning

Thank you

14

Thanks @sidharth_tarlapally will try this and let u know